Here we will discuss different types of attacks which might enable us to authenticate as a domain user and gain initial access.
Important Issues
KRB_AP_ERR_SKEW (Clock skew too great)
Some common issues attacking Kerberos is that the time needs to be the same as on the target. When using an VM the time sync settings is enabled which doesn't allow us to change the time correctly.
timedatectlset-ntp0
The command above deactivates the time synchronization from the VM with the host.
sudonptdate-u10.10.10.100
The command above sets the time to the same as the specified target.
Responder
If we find a form which seems to connect to an server and we can change the server address we might be able to catch some hashes or credentials. For this we will use impacket responder.
sudoresponder-Itun0
There are many options we can use with responder. Above is the most basic use.
For the attack to succeed we need valid usernames to check if they lack the Kerberos per-authentication required attribute.
We can also use Rubeus to execute the same attack.
Once we have retrieved the hash we can crack it using the following command:
Now we should have the password for the hash.
Kerberoasting
To abuse kerberoasting we need to have an active directory account that has a Service Principal Name ("SPN") set.
A SPN is a unique identifier of a service instance. Kerberos authentication uses SPNs to associate a service instance with a service sign-in account.
Doing so allows a client application to request service authentication for an account even if the client doesn't have the account name.
In a kerberoasting attack an authenticated user requests a Kerberos Ticket for an SPN (TGS).
The retrieved TGS is encrypted with the hash of the service account password.
We have many tools to abuse kerberoasting.
impacket
Rubeus
netexec
After we retrieved the hash we use hashcat to brute force the password
Cracking
We should now have the password and access to some new information.
